Pod安全策略未按预期运行

时间:2019-03-08 19:29:21

标签: kubernetes google-kubernetes-engine

我正在创建Pod安全策略,以阻止所有用户将Pod创建为Root用户。我的集群在GKE上。 我到目前为止执行的步骤是

1)在集群中启用PodSecurityPolicy 

gcloud beta container clusters update standard-cluster-11  --enable-pod-security-policy

2)定义策略。该策略很简单,并且限制了root用户。

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-restrict-root
spec:
  privileged: false
  runAsUser:
    rule: MustRunAsNonRoot  # <------ Root user restricted.
  seLinux:
    rule: RunAsAny
  fsGroup:
    rule: RunAsAny
  supplementalGroups:
    rule: RunAsAny
  volumes:
  - '*'

3)然后当然要实施正确的RBAC规则,以便可以为所有用户实施。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gce:podsecuritypolicy:a-restrict-root
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
rules:
- apiGroups:
  - policy
  resourceNames:
  - a-restrict-root
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gce:podsecuritypolicy:a-restrict-root
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
    kubernetes.io/cluster-service: "true"
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gce:podsecuritypolicy:a-restrict-root
subjects:
- kind: Group
  apiGroup: rbac.authorization.k8s.io
  name: system:serviceaccounts

现在是我尝试旋转Pod的部分。 pod定义如下:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 0
    fsGroup: 0
  volumes:
  - name: sec-ctx-vol
    emptyDir: {}
  containers:
  - name: sec-ctx-demo
    image: gcr.io/google-samples/node-hello:1.0
    volumeMounts:
    - name: sec-ctx-vol
      mountPath: /data/demo
    securityContext:
      allowPrivilegeEscalation: false

如您所见,runAsUser设置为0,表示root

当我运行kubectl create -f pod.yaml时,广告连播正在创建并进入Running状态。

当我执行到Pod中时,我可以看到所有进程都以root身份运行

$ kubectl exec -it security-context-demo -- sh
# ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  0.0   4336   812 ?        Ss   19:25   0:00 /bin/sh -c node server.js
root           6  0.4  0.5 772124 22656 ?        Sl   19:25   0:00 node server.js
root          11  0.0  0.0   4336   724 ?        Ss   19:26   0:00 sh
root          16  0.0  0.0  17500  2072 ?        R+   19:26   0:00 ps aux

但是根据我的PodSecurityPolicy,这是不允许的。有什么我想念的吗?

更新:

我启动了一个默认的Nginx Pod,我知道它总是以root用户身份启动。它的清单是:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - name: nginx
    image: nginx

当我创建它时,它也成功启动。

$ kubectl get po
NAME                    READY     STATUS    RESTARTS   AGE
nginx                   1/1       Running   0          2m

由于PSP,它不应该启动。

2 个答案:

答案 0 :(得分:1)

如果您从API提取创建的Pod,它将包含一个注释,指示哪个PSP允许Pod。我希望可以使用其他的PSP来支持广告连播

答案 1 :(得分:0)

我得到了您所缺少的,只需将其添加到您的pod配置文件中即可:

在此之前,请确保先在Docker容器中使用create the user (say, appuser) uid -> say, 999group (say, appgroup) gid ->say, 999,然后尝试从该用户启动该容器并添加:

securityContext:
  runAsUser: 999

这可能是一本好书:SecurityContext

此外,在执行此操作时:

apiVersion: v1
kind: Pod
metadata:
  name: security-context-demo
spec:
  securityContext:
    runAsUser: 0
    fsGroup: 0

您正在覆盖PodSecurityPolicy ,请参见here

更新:1

  

如何解决此问题:

apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
  name: a-restrict-root
spec:
  privileged: false
  defautlAllowPrivilegeEscalation: false
  # This is redundant with non-root + disallow privilege escalation,
  # but we can provide it for defense in depth.
  requiredDropCapabilities:
    - ALL
  hostIPC: false
  hostPID: false
  runAsUser:
    # Require the container to run without root privileges.
    rule: 'MustRunAsNonRoot'
  seLinux:
    # This policy assumes the nodes are using AppArmor rather than SELinux.
    rule: 'RunAsAny'
  supplementalGroups:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
  fsGroup:
    rule: 'MustRunAs'
    ranges:
      # Forbid adding the root group.
      - min: 1
        max: 65535
相关问题
最新问题